summaryrefslogtreecommitdiff
path: root/docs/configuration/service/dns.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/service/dns.rst')
-rw-r--r--docs/configuration/service/dns.rst73
1 files changed, 44 insertions, 29 deletions
diff --git a/docs/configuration/service/dns.rst b/docs/configuration/service/dns.rst
index f332c55c..204b6466 100644
--- a/docs/configuration/service/dns.rst
+++ b/docs/configuration/service/dns.rst
@@ -11,8 +11,8 @@ VyOS provides DNS infrastructure for small networks. It is designed to be
lightweight and have a small footprint, suitable for resource constrained
routers and firewalls, for this we utilize PowerDNS recursor.
-The VyOS DNS forwarder does not require an upstream DNS server. It can serve as a
-full recursive DNS server - but it can also forward queries to configurable
+The VyOS DNS forwarder does not require an upstream DNS server. It can serve as
+a full recursive DNS server - but it can also forward queries to configurable
upstream DNS servers. By not configuring any upstream DNS servers you also
avoid to be tracked by the provider of your upstream DNS server.
@@ -28,9 +28,10 @@ avoid to be tracked by the provider of your upstream DNS server.
.. cfgcmd:: set service dns forwarding domain <domain-name> server <address>
- Forward received queries for a particular domain (specified via `domain-name`)
- to a given name-server. Multiple nameservers can be specified. You can use
- this feature for a DNS split-horizon configuration.
+ Forward received queries for a particular domain
+ (specified via `domain-name`) to a given name-server. Multiple nameservers
+ can be specified. You can use this feature for a DNS split-horizon
+ configuration.
.. note:: This also works for reverse-lookup zones (``18.172.in-addr.arpa``).
@@ -41,7 +42,8 @@ avoid to be tracked by the provider of your upstream DNS server.
recursor. A network of ``0.0.0.0/0`` or ``::/0`` would allow all IPv4 and
IPv6 networks to query this server. This is on general a bad idea.
-.. cfgcmd:: set service dns forwarding dnssec <off | process-no-validate | process | log-fail | validate>
+.. cfgcmd:: set service dns forwarding dnssec
+ <off | process-no-validate | process | log-fail | validate>
The PowerDNS Recursor has 5 different levels of DNSSEC processing, which can
be set with the dnssec setting. In order from least to most processing, these
@@ -103,23 +105,25 @@ avoid to be tracked by the provider of your upstream DNS server.
.. cfgcmd:: set service dns forwarding listen-address
- The local IPv4 or IPv6 addresses to bind the DNS forwarder to. The forwarder will listen on this address for
- incoming connections.
+ The local IPv4 or IPv6 addresses to bind the DNS forwarder to. The forwarder
+ will listen on this address for incoming connections.
Example
=======
-A VyOS router with two interfaces - eth0 (WAN) and eth1 (LAN) - is required to implement a split-horizon DNS configuration for example.com.
+A VyOS router with two interfaces - eth0 (WAN) and eth1 (LAN) - is required to
+implement a split-horizon DNS configuration for example.com.
In this scenario:
-* All DNS requests for example.com must be forwarded to a DNS server at 192.0.2.254
- and 2001:db8:cafe::1
-* All other DNS requests will be forwarded to a different set of DNS servers at 192.0.2.1,
- 192.0.2.2, 2001:db8::1:ffff and 2001:db8::2:ffff
-* The VyOS DNS forwarder will only listen for requests on the eth1 (LAN) interface addresses - 192.168.1.254
- for IPv4 and 2001:db8::ffff for IPv6
-* The VyOS DNS forwarder will only accept lookup requests from the LAN subnets - 192.168.1.0/24 and 2001:db8::/64
+* All DNS requests for example.com must be forwarded to a DNS server
+ at 192.0.2.254 and 2001:db8:cafe::1
+* All other DNS requests will be forwarded to a different set of DNS servers at
+ 192.0.2.1, 192.0.2.2, 2001:db8::1:ffff and 2001:db8::2:ffff
+* The VyOS DNS forwarder will only listen for requests on the eth1 (LAN)
+ interface addresses - 192.168.1.254 for IPv4 and 2001:db8::ffff for IPv6
+* The VyOS DNS forwarder will only accept lookup requests from the
+ LAN subnets - 192.168.1.0/24 and 2001:db8::/64
.. code-block:: none
@@ -139,12 +143,13 @@ Operation
.. opcmd:: reset dns forwarding <all | domain>
- Resets the local DNS forwarding cache database. You can reset the cache for all
- entries or only for entries to a specific domain.
+ Resets the local DNS forwarding cache database. You can reset the cache
+ for all entries or only for entries to a specific domain.
.. opcmd:: restart dns forwarding
- Restarts the DNS recursor process. This also invalidates the local DNS forwarding cache.
+ Restarts the DNS recursor process. This also invalidates the local DNS
+ forwarding cache.
.. _dynamic-dns:
@@ -175,26 +180,31 @@ Configuration
address assigned to `<interface>` on the service you configured under
`<service-name>`.
-.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> key <keyfile>
+.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name>
+ key <keyfile>
File identified by `<keyfile>` containing the secret RNDC key shared with
remote DNS server.
-.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> server <server>
+.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name>
+ server <server>
Configure the DNS `<server>` IP/FQDN used when updating this dynamic
assignment.
-.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> zone <zone>
+.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name>
+ zone <zone>
Configure DNS `<zone>` to be updated.
-.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> record <record>
+.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name>
+ record <record>
Configure DNS `<record>` which should be updated. This can be set multiple
times.
-.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> ttl <ttl>
+.. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name>
+ ttl <ttl>
Configure optional TTL value on the given resource record. This defualts to
600 seconds.
@@ -248,30 +258,35 @@ VyOS is also able to use any service relying on protocols supported by ddclient.
To use such a service, one must define a login, password, one or multiple
hostnames, protocol and server.
-.. cfgcmd:: set service dns dynamic interface <interface> service <service> host-name <hostname>
+.. cfgcmd:: set service dns dynamic interface <interface> service <service>
+ host-name <hostname>
Setup the dynamic DNS hostname `<hostname>` associated with the DynDNS
provider identified by `<service>` when the IP address on interface
`<interface>` changes.
-.. cfgcmd:: set service dns dynamic interface <interface> service <service> login <username>
+.. cfgcmd:: set service dns dynamic interface <interface> service <service>
+ login <username>
Configure `<username>` used when authenticating the update request for
DynDNS service identified by `<service>`.
For Namecheap, set the <domain> you wish to update.
-.. cfgcmd:: set service dns dynamic interface <interface> service <service> password <password>
+.. cfgcmd:: set service dns dynamic interface <interface> service <service>
+ password <password>
Configure `<password>` used when authenticating the update request for
DynDNS service identified by `<service>`.
-.. cfgcmd:: set service dns dynamic interface <interface> service <service> protocol <protocol>
+.. cfgcmd:: set service dns dynamic interface <interface> service <service>
+ protocol <protocol>
When a ``custom`` DynDNS provider is used the protocol used for communicating
to the provider must be specified under `<protocol>`. See the embedded
completion helper for available protocols.
-.. cfgcmd:: set service dns dynamic interface <interface> service <service> server <server>
+.. cfgcmd:: set service dns dynamic interface <interface> service <service>
+ server <server>
When a ``custom`` DynDNS provider is used the `<server>` where update
requests are being sent to must be specified.